Krebs on Security

In-depth security news and investigation

Gamestop.com Investigating Possible Breach

Video game giant GameStop Corp. [NSYE: GME] says it is investigating reports that hackers may have siphoned credit card and customer data from its website — gamestop.com. The company acknowledged the investigation after being contacted by KrebsOnSecurity.

“GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website,” a company spokesman wrote in response to questions from this author.

“That day a leading security firm was engaged to investigate these claims. Gamestop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified,” the company’s statement continued.

Two sources in the financial industry told KrebsOnSecurity that they have received alerts from a credit card processor stating that Gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017.

Those same sources said the compromised data is thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the backs of credit cards.

GameStop would not comment on the possible timeframe of the suspected breach, or say what types of customer data might be impacted.

Based in Grapevine, Texas, GameStop generated more than $8.6 billion in revenue in 2016, although it’s unclear how much of that came through the company’s Web site. GameStop operates more than 7,000 retail stores through the United States, Canada, Australia, New Zealand and Europe. There is currently no indication that the company’s retail store locations may have been affected.

According to Web site statistics firm Alexa.com, Gamestop.com is the 269th most popular Web site in the United States.

“We regret any concern this situation may cause for our customers,” Game Stop said in its statement. “GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges. If you identify such a charge, report it immediately to the bank that issued the card because payment card network rules generally state that cardholders are not responsible for unauthorized charges that are timely reported.”

I am a regular consumer purchasing quite often. A response from the hierarchy of gamestop stated they will “non stop” to continue to address this however is that supposed to lullaby me to feel my information is safe? Who is protecting our information? Gamestop? A hired tech hand surfing the surface web? This is ridiculous! Sure, remain calm as the media promises to protect there customers with false media reports. The propaganda ends here. Every single major data breach I will post on social media as the MAJORITY won’t know this has happened. SENSOR THIS!!!

Haven’t purchased anything through the GameStop website, but have through a retail store, so far nothing there. But, this reminds me of a few years back where I had a card that was breached. I was first skeptical of the message I had received, especially as the phone number didn’t correlate with anything I could find on the web as being a number for that issuer. So, I called in through the numbers that I knew, they put me through, and yes it was an actual breach. A fake card in question was used at a Walmart about 500 miles away. As I was being questioned to determine that it was actually not me that made that purchase (just an hour before), another transaction was attempted at a Walmart about 500 miles from the original transaction, and about the same distance from me. Doesn’t take long for fake copies of the same card to be available to multiple people.

You have to open it or they wont accept it as a “used” game and wont do a return for store credit without a receipt. I griped at my husband for opening a game that he had won at work, it was a game he would never play so he wanted to trade it in, they wont accept unopened games so he had to open it.

I have never used their online store thankfully. I do my very best to limit my exposure to breaches by purchasing from as few online vendors as possible. The breaches just keep coming. Bigger and bigger each time it seems.

I can’t tell you over the past few years the number of “security directors” that have floated in and out of Game Stop. It seemed to be a revolving door. It was obvious there are issues at this company trying to get a real security program started and sustained.

It appears they didn’t know until customers started having stolen card numbers used. In other words, the payment processors noticed a pattern.
That is bad because it means gamestop isn’t paying enough attention to its internal network to find it on their own.
That’s also why customers haven’t been notified, they haven’t figured out how the hackers got the information or what they took. Once they figured that out they will notify.

My card was compromised on my grandsons computer now I have to purchase the a PSN card in the amount of $59 in order to open his account …. this was not my fault … I think there is undermining going on here

How can affected customers report this type of credit card theft? I think I was the victim of this, not at Gamestop but on another website. What I can I do other than reporting to my credit card company (they refunded the charges) and to the merchant (they did not respond)?

There is really nothing you can do, beyond what you did in reporting the fraud charges and telling them you want a new CC# as the old one has been compromised. The legal logic here is that your bank is the victim here, not you. Your bank has to pursue the credit card processor. If it wasn’t for folks like Krebs, we often wouldn’t get confirmation of the dots being connected.

I love how literate people seem to be anymore. The lack of understanding how things relate, such as what in direction interactions happen, shows in the lack of understanding language. Now people are saying that their cards got breached. NO!

The server’s security, or a web site’s (not “sight”) security or database is what was breached. Look up the word in the dictionary. Your card numbers are what was taken, not the thing that was broken into/through.

When we see a humpback whale pop out of the water vertically and slam down again, we call it breaching. What is it breaching? The water’s surface. Please learn to read properly and think.

This is interesting. It appears it was a man in the middle account if they’re capturing ccv data. I wonder how long it will be before we start seeing computers with chip card readers. Wait, some machines already read smart cards so they could read the chip too.

Does it make any difference if you choose to “save” your credit card purchases for future purchases or not? In other words, if you choose not to save the info for future purchases, is your credit card information still compromised in cases like this?

Actually, I think the majority of online vendors save your c.c. data by default! I became aware of this practice several yrs. ago when I placed an order with a company via their 800 number (Internet was down or something). In the past, I’d placed orders online, and the salesperson asked me if I wanted to use the same c.c. number that was “on file”!! Firstly, I complained, saying that I was NEVER ASKED if I’d WANTED that info. saved, and that I wanted my c.c. info. deleted from their system as soon as that last transaction had gone through! Since then, I’ve discovered 3-4 more online retailers had done the same thing!! And again, without asking or giving any sort of “opt-out” provision!!!

Late 2015 someone gained access to my “reward points” using them to purchase games. It took a couple of months of dealing with Game Stop via email and phone calls to have the points returned to my account. I used them and refuse to deal with Game Stop again. They refused to tell me where or how the points were used IAW FCRA 609(e). Even after providing proof of being an ID theft/fraud victim in a federal investigation. Even explained how the criminals had opened an account with CONSUMERINFO.COM to monitor my credit reports in real time prior to opening accounts in my name. Some of this was done in NORVA , Richmond and Norfolk. Almost like the criminals were targeting military, NFCU, USAA (their rep stated that flew someone down to speak to their fraud unit), Pentagon CU, Housing Office at US Army post Fort Lee VA, Pass & ID office at Norfolk Naval Base, being hubs of activity. Most likely not related but willing to bet Game Stop was hacked to be able to steal my points. I saved the emails from dealing with them.